bindfs for web docroot - is this sane?

To: debian-user@lists.debian.org
Subject: bindfs for web docroot - is this sane?
From: Richard Hector <richard@walnut.gen.nz>
Date: Tue, 11 Oct 2022 21:03:03 +1300
Message-id: <[🔎] 67f2628c-a092-a03b-6912-77ef21dc78a9@walnut.gen.nz>

Hi all,

I host a few websites, mostly Wordpress.

I prefer to have the site files (mostly) owned by an owner user, andphp-fpm runs as a different user, so that it can't write its own code.For uploads, those directories are group-writeable.

Then for site developers (who might be contractors to my client) to beable to update teh site, they need read/write access to the docroot, butI don't want them all logging in using the same account/credentials.

So I've set up bindfs ( https://bindfs.org/ ) with the following fstabline (example at this stage):

/srv/wptest-home/doc_root /home/richard/wptest-home/doc_root fuse.bindfs--force-user=richard,--force-group=richard,--create-for-user=wptest-home,--create-for-group=wptest-home0 0

That means they can see their own 'view' of the docroot under their ownhome directory, and they can create files as needed, which will have thecorrect owner under /srv. I haven't yet looked at what happens with theuploaded and cached files which are owned by the php user; hopefullythat works ok.

This means I don't need to worry about sudo and similar things, orchown/chgrp - which in turn means I should be able to offer sftp as analternative to full ssh logins. It can probably even be chrooted.


Does that sound like a sane plan? Are there gotchas I haven't spotted?

Cheers,
Richard

Reply to:

Follow-Ups:
- Re: bindfs for web docroot - is this sane?
  - From: hede <debian452@der-he.de>
- Re: bindfs for web docroot - is this sane?
  - From: Dan Ritter <dsr@randomstring.org>

Prev by Date: Re: Listing .PDFs on web site?
Next by Date: Re: Listing .PDFs on web site?
Previous by thread: Re: Listing .PDFs on web site?
Next by thread: Re: bindfs for web docroot - is this sane?
Index(es):
- Date
- Thread